Back to home

Privacy Policy

Last updated: May 17, 2026

1. Data Controller

Caymaz TechHealth Yazilim Tic. Ltd. Sti. ("ClinicArchitect", "we") processes your personal data under applicable privacy and data protection laws, including the where it applies and for users in Turkey. Legal name: Caymaz TechHealth Yazilim Tic. Ltd. Sti. MERSIS: 0203091510500001 | Tax office: Başakşehir | Tax no: 2030915105 Address: Istanbul, Turkey

2. Data We Collect

Through the mobile app and web portal we collect: • Account data: email, display name, profile photo (via Google/Apple/Firebase sign-in) • Clinic data: clinic name, address, contact details • Patient data: name, phone, email, passport number, medical notes (; encrypted at the application layer with AES-256-GCM) • Usage data: session logs, error reports, in-app activity • Subscription data: subscription status only (payments are processed by Apple/Google) • Device data: device model, OS, FCM push token • Uploaded files: clinic/patient-related images (Cloudflare R2) • Consent records: which agreements you accepted, version, date, and technical proof (IP address truncated where stored)

3. How We Collect Information

We collect data: • **Directly from you** — registration, profile settings, clinic setup, patient entry, support messages, consent checkboxes • **Automatically** — server logs, security events, API usage, push notification tokens, locale preference cookies on the website • **From third parties** — identity attributes from Firebase Authentication; subscription status from Adapty and app stores (we do not receive payment card numbers)

4. How We Use Your Data

We use collected data to: • Provide clinic management services • Enable appointments, patient tracking, and clinical workflows • Manage mobile app subscriptions (Adapty / store infrastructure) • Send service-related push notifications (with your device permission) • Ensure security and prevent fraud • Provide support and fix issues • Comply with legal obligations • Send marketing communications **only if you opt in** (optional)

5. Legal Basis for Processing

Depending on your location and the type of data, we rely on: • **Contract** — to provide the Service you signed up for • **Consent** — for optional marketing, and where required for processing entered by your clinic (the clinic is the for patient data) • **Legitimate interests** — security, fraud prevention, service improvement (balanced against your rights) • **Legal obligation** — tax, regulatory, or law-enforcement requests

6. Data Security

Patient personal data is encrypted at the application layer using AES-256-GCM before storage. Encryption keys are kept as secure environment variables on production servers and are not stored in the database. Database and API traffic use TLS. Servers are hosted on Hetzner infrastructure.

7. Sharing and Sub-processors

We **do not sell** your personal information. We **do not share** patient data for advertising or unrelated commercial purposes. We use the following **sub-processors** only to operate the Service. Each maintains their own privacy and data processing terms: • **Firebase Authentication** (Google LLC, USA) — identity; Google Cloud Data Processing Terms: https://firebase.google.com/support/privacy • **Adapty Inc.** (USA) — subscription management (anonymous user identifier); Adapty Privacy Policy: https://adapty.io/privacy/ • **Apple App Store / Google Play** — in-app payments (payment details are not shared with us) • **Hetzner Online GmbH** (Germany, EU) — API and database hosting; Hetzner Privacy Policy: https://www.hetzner.com/legal/privacy-policy • **Cloudflare, Inc.** (EU region, R2) — file storage; Cloudflare GDPR commitments: https://www.cloudflare.com/gdpr/introduction/ • **Firebase Cloud Messaging** (Google LLC, USA) — push notifications; covered under Google Cloud Data Processing Terms • Competent authorities when legally required By accepting our Terms and DPA, you acknowledge we use these sub-processors. Our website does not process direct payments.

8. International Transfers

Your data is primarily processed in the European Union on Hetzner (Germany). Some sub-processors (Firebase, Adapty, Cloudflare) may process data outside the EU/EEA; such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms ensuring an adequate level of protection.

9. Data Retention

Data for active clinic accounts is retained during the subscription period plus 90 days. Upon account deletion request, personal data is removed within 30 days; audit logs may be kept for up to 24 months where required by law. Consent records may be retained to demonstrate compliance for the applicable statutory period.

10. Your Rights and Request Timelines

Where applicable under , , and other laws, you may have rights to access, rectify, erase, restrict processing, object, and data portability. **How to exercise rights:** email info@caymaztech.com or use in-app **Privacy & data** (export / delete account). We may verify your identity before responding. **Response times (typical):** • GDPR: within 1 month (extendable to 3 months for complex requests) • KVKK: within 30 days (extendable to 60 days with notice) • CCPA/CPRA: within 45 days (extendable to 90 days where permitted) You may lodge a complaint with your supervisory authority (e.g. KVKK Kurulu in Turkey, your EU DPA, or the California Attorney General).

11. Cookies and Similar Technologies

Our website uses essential cookies (e.g. language preference `NEXT_LOCALE`). We do not use third-party advertising cookies on the marketing site. For details, see our Cookie Policy at `/en/cookies` (or your locale path). You can manage preferences via the cookie banner on first visit.

12. Marketing and Optional Processing

Marketing emails or promotional push messages are sent **only if you opt in** separately. You may withdraw marketing consent at any time in account settings or by emailing info@caymaztech.com. Withdrawal does not affect lawfulness of processing before withdrawal.

13. Do Not Sell or Share My Personal Information

**We do not sell personal information.** We do not share personal information for cross-context behavioral advertising. Because we do not sell or share personal information for such purposes, there is no opt-out mechanism to configure. If our practices change, we will update this policy and provide a compliant opt-out where required.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights to know, access, delete, and correct personal information, and to opt out of the **sale** or **sharing** of personal information for cross-context behavioral advertising (see Section 13). To exercise your rights, contact info@caymaztech.com. We will not discriminate against you for exercising your rights.

15. Data Breach Notification

If a personal data breach is likely to result in risk to your rights, we will notify the competent supervisory authority within 72 hours where required (e.g. GDPR, KVKK) and affected individuals without undue delay when the risk is high. Report suspected incidents to info@caymaztech.com.

16. In-App Purchases

Subscription plans are offered only via the App Store (Apple) and Google Play. All payment transactions are handled by the store; no payment card data is stored on ClinicArchitect servers.

17. Children's Privacy

ClinicArchitect is not directed at individuals under 18. We do not knowingly collect personal data from children.

18. Updates

This policy may be updated from time to time. Material changes will be communicated by email or in-app notification at least 30 days before they take effect where practicable.

19. Contact

Privacy & data protection: info@caymaztech.com General support: info@caymaztech.com Caymaz TechHealth Yazilim Tic. Ltd. Sti. — ClinicArchitect